When you setup WP you (the webserver) may need write access to the files. So the access rights may need to be loose.

当您设置 WP 时，您（网络服务器）可能需要对文件进行写访问。所以访问权限可能需要放宽。

chown www-data:www-data  -R * # Let Apache be owner
find . -type d -exec chmod 755 {} \;  # Change directory permissions rwxr-xr-x
find . -type f -exec chmod 644 {} \;  # Change file permissions rw-r--r--

After the setup you shouldtighten the access rights, according to Hardening WordPressall files except for wp-content should be writable by your user account only. wp-content must be writable by www-datatoo.

设置后，您应该收紧访问权限，根据Hardening WordPress，除 wp-content 之外的所有文件都只能由您的用户帐户写入。wp-content 也必须可由www-data写入。

chown <username>:<username>  -R * # Let your useraccount be owner
chown www-data:www-data wp-content # Let apache be owner of wp-content

Maybe you want to change the contents in wp-content later on. In this case you could

也许您想稍后更改 wp-content 中的内容。在这种情况下你可以

• temporarily change to the user to www-datawith su,
• give wp-content group write access 775 and join the group www-dataor
• give your user the access rights to the folder using ACLs.

• 暂时改变到用户WWW的数据与su，
• 给 wp-content 组写访问权限 775 并加入组www-data或
• 使用ACL授予您的用户对该文件夹的访问权限。

Whatever you do, make sure the files have rw permissions for www-data.

无论您做什么，请确保文件具有www-data 的rw 权限。

Giving the full access to all wp files to www-datauser (which is in this case the web server user) can be dangerous. So rather do NOTdo this:

将所有 wp 文件的完全访问权限授予www-data用户（在这种情况下是 Web 服务器用户）可能很危险。所以不要这样做：

chown www-data:www-data -R *

It can be useful however in the moment when you're installing or upgrading WordPress and its plug-ins. But when you finished it's no longer a good idea to keep wp files owned by the web server.

然而，当您安装或升级 WordPress 及其插件时，它会很有用。但是，当您完成后，保留 Web 服务器拥有的 wp 文件不再是一个好主意。

It basically allows the web server to put or overwrite any file in your website. This means that there is a possibility to take over your site if someone manage to use the web server (or a security hole in some .php script) to put some files in your website.

它基本上允许 Web 服务器放置或覆盖您网站中的任何文件。这意味着如果有人设法使用 Web 服务器（或某些 .php 脚本中的安全漏洞）将某些文件放入您的网站，则有可能接管您的网站。

To protect your site against such an attack you should to the following:

为了保护您的站点免受此类攻击，您应该执行以下操作：

All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process.

/

The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.

/wp-admin/

The WordPress administration area: all files should be writable only by your user account.

/wp-includes/

The bulk of WordPress application logic: all files should be writable only by your user account.

/wp-content/

User-supplied content: intended to be writable by your user account and the web server process.

Within /wp-content/you will find:

/wp-content/themes/

Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.

/wp-content/plugins/

Plugin files: all files should be writable only by your user account.

Other directories that may be present with /wp-content/should be documented by whichever plugin or theme requires them. Permissions may vary.

所有文件都应该归您的用户帐户所有，并且应该是您可写的。任何需要来自 WordPress 的写访问权限的文件都应该由 Web 服务器写入，如果您的主机设置需要它，这可能意味着这些文件需要由 Web 服务器进程使用的用户帐户拥有。

/

WordPress 根目录：所有文件只能由您的用户帐户写入，如果您希望 WordPress 自动为您生成重写规则，则 .htaccess 除外。

/wp-admin/

WordPress 管理区域：所有文件只能由您的用户帐户写入。

/wp-includes/

大部分 WordPress 应用程序逻辑：所有文件都应该只能由您的用户帐户写入。

/wp-content/

用户提供的内容：旨在由您的用户帐户和 Web 服务器进程写入。

在里面/wp-content/你会发现：

/wp-content/themes/

主题文件。如果要使用内置的主题编辑器，则所有文件都需要 Web 服务器进程可写。如果您不想使用内置的主题编辑器，则所有文件只能由您的用户帐户写入。

/wp-content/plugins/

插件文件：所有文件只能由您的用户帐户写入。

可能存在的其他目录/wp-content/应由需要它们的插件或主题记录。权限可能会有所不同。

Source and additional information: http://codex.wordpress.org/Hardening_WordPress

来源和附加信息：http: //codex.wordpress.org/Hardening_WordPress

For those who have their wordpress root folder under their home folder:

对于那些在他们的主文件夹下有他们的 wordpress 根文件夹的人：

** Ubuntu/apache

** Ubuntu/阿帕奇

1. Add your user to www-data group:

1. 将您的用户添加到 www-data 组：

CREDIT Granting write permissions to www-data group

信用授予对 www-data 组的写入权限

You want to call usermodon your user. So that would be:

你想打电话usermod给你的用户。所以那将是：

sudo usermod -aG www-data yourUserName

** Assuming www-datagroup exists

** 假设www-data组存在

1. Check your user is in www-datagroup:

   groups yourUserName

2. 检查您的用户是否在www-data组中：

   groups yourUserName

You should get something like:

你应该得到类似的东西：

youUserName : youUserGroupName www-data

** youUserGroupName is usually similar to you user name

** youUserGroupName 通常与您的用户名相似

1. Recursively change group ownership of the wp-content folder keeping your user ownership

   chown yourUserName:www-data -R youWebSiteFolder/wp-content/*

2. Change directory to youWebSiteFolder/wp-content/

   cd youWebSiteFolder/wp-content

3. Recursively change group permissions of the folders and sub-folders to enable write permissions:

   find . -type d -exec chmod -R 775 {} \;

3. 递归更改 wp-content 文件夹的组所有权，保留您的用户所有权

   chown yourUserName:www-data -R youWebSiteFolder/wp-content/*

4. 将目录更改为 youWebSiteFolder/wp-content/

   cd youWebSiteFolder/wp-content

5. 递归更改文件夹和子文件夹的组权限以启用写入权限：

   find . -type d -exec chmod -R 775 {} \;

** mode of `/home/yourUserName/youWebSiteFolder/wp-content/' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)

** `/home/yourUserName/youWebSiteFolder/wp-content/' 的模式从 0755 (rwxr-xr-x) 更改为 0775 (rwxrwxr-x)

1. Recursively change group permissions of the files and sub-files to enable write permissions:

   find . -type f -exec chmod -R 664 {} \;

6. 递归更改文件和子文件的组权限以启用写入权限：

   find . -type f -exec chmod -R 664 {} \;

The result should look something like:

结果应该类似于：

WAS:
-rw-r--r--  1 yourUserName www-data  7192 Oct  4 00:03 filename.html
CHANGED TO:
-rw-rw-r--  1 yourUserName www-data  7192 Oct  4 00:03 filename.html

Equivalent to:

相当于：

chmod -R ug+rw foldername

chmod -R ug+rw 文件夹名

Permissions will be like 664 for files or 775 for directories.

权限类似于文件的 664 或目录的 775。

P.s. if anyone encounters error 'could not create directory'when updating a plugin, do:
server@user:~/domainame.com$ sudo chown username:www-data -R wp-content
when you are at the root of your domain.
Assuming: wp-config.phphas
FTP credentials on LocalHost
define('FS_METHOD','direct');

Ps 如果有人'could not create directory'在更新插件时遇到错误，请执行以下操作：
server@user:~/domainame.com$ sudo chown username:www-data -R wp-content
当您位于域的根目录时。
假设：在 LocalHost 上wp-config.php有
FTP 凭据
define('FS_METHOD','direct');

Best to read the wordpress documentation on this https://wordpress.org/support/article/changing-file-permissions/

最好阅读此https://wordpress.org/support/article/changed-file-permissions/上的 wordpress 文档

• All files should be owned by the actual user's account, not the user account used for the httpd process
• Group ownership is irrelevant, unless there's specific group requirements for the web-server process permissions checking. This is not usually the case.
• All directories should be 755 or 750.
• All files should be 644 or 640. Exception: wp-config.php should be 440 or 400 to prevent other users on the server from reading it.
• No directories should ever be given 777, even upload directories. Since the php process is running as the owner of the files, it gets the owners permissions and can write to even a 755 directory.

• 所有文件都应该由实际用户的帐户拥有，而不是用于 httpd 进程的用户帐户
• 组所有权无关紧要，除非对 Web 服务器进程权限检查有特定的组要求。通常情况并非如此。
• 所有目录都应该是 755 或 750。
• 所有文件都应该是 644 或 640。例外：wp-config.php 应该是 440 或 400，以防止服务器上的其他用户读取它。
• 任何目录都不应该被赋予 777，即使是上传目录。由于 php 进程作为文件的所有者运行，它获得所有者的权限，甚至可以写入 755 目录。

I set permissions to:

我将权限设置为：

    # Set all files and directories user and group to wp-user
    chown wp-user:wp-user -R *

    # Set uploads folder user and group to www-data
    chown www-data:www-data -R wp-content/uploads/

    # Set all directories permissions to 755
    find . -type d -exec chmod 755 {} \;

    # Set all files permissions to 644
    find . -type f -exec chmod 644 {} \;

In my case I created a specific user for WordPress which is different from the apache default user that prevent access from the web to those files owned by that user.

就我而言，我为 WordPress 创建了一个特定用户，该用户不同于 apache 默认用户，后者阻止从 Web 访问该用户拥有的那些文件。

Then it gives permission to apache user to handle the upload folder and finally set secure enough file and folder permissions.

然后它授予 apache 用户处理上传文件夹的权限，最后设置足够安全的文件和文件夹权限。

EDITED

已编辑

If you're using W3C Total Cache you should do the next also:

如果您正在使用 W3C Total Cache，您还应该执行以下操作：

rm -rf wp-content/cache/config
rm -rf wp-content/cache/object
rm -rf wp-content/cache/db
rm -rf wp-content/cache/minify
rm -rf wp-content/cache/page_enhanced

Then it'll work!

然后它会起作用！

EDITED

已编辑

After a while developing WordPress sites I'd recommend different file permissions per environment:

在开发 WordPress 网站一段时间后，我建议每个环境使用不同的文件权限：

In production, I wouldn't give access to users to modify the filesystem, I'll only allow them to upload resources and give access to some plugins specific folders to do backups, etc. But managing projects under Git and using deploy keys on the server, it isn't good update plugins on staging nor production. I leave here the production file setup:

在生产中，我不会授予用户修改文件系统的权限，我只允许他们上传资源并授予访问某些插件特定文件夹的权限以进行备份等。但是在 Git 下管理项目并使用部署密钥服务器，它在登台或生产上都不是很好的更新插件。我在这里留下生产文件设置：

# Set uploads folder user and group to www-data
chown www-data:www-data -R wp-content/uploads/

www-data:www-data = apache or nginx user and group

www-data:www-data = apache 或 nginx 用户和组

Staging will share the same production permissions as it should be a clone of it.

暂存将共享相同的生产权限，因为它应该是它的克隆。

Finally, development environment will have access to update plugins, translations, everything...

最后，开发环境将可以访问更新插件，翻译，一切......

# Set uploads folder user and group to www-data
chown www-data:www-data -R wp-content/

# Set uploads folder user and group to www-data
chown your-user:root-group -R wp-content/themes

# Set uploads folder user and group to www-data
chown your-user:root-group -R wp-content/plugins/your-plugin

www-data:www-data = apache or nginx user and groupyour-user:root-group = your current user and the root group

www-data:www-data = apache 或 nginx 用户和组your-user:root-group = 您当前的用户和根组

These permissions will give you access to develop under themesand your-pluginfolder without asking permission. The rest of the content will be owned by the Apache or Nginx user to allow WP to manage the filesystem.

这些权限将使您无需征得许可即可访问开发themes和your-plugin文件夹。其余内容将由 Apache 或 Nginx 用户拥有，以允许 WP 管理文件系统。

Before creating a git repo first run these commands:

在创建 git repo 之前，首先运行以下命令：

# Set all directories permissions to 755
find . -type d -exec chmod 755 {} \;

# Set all files permissions to 644
find . -type f -exec chmod 644 {} \;

Correct permissions for the file is 644 Correct permissions for the folder is 755

文件的正确权限为 644 文件夹的正确权限为 755

To change the permissions , use terminal and following commands.

要更改权限，请使用终端和以下命令。

find foldername -type d -exec chmod 755 {} \;
find foldername -type f -exec chmod 644 {} \;

755 for folders and 644 for files.

755 个文件夹和 644 个文件。

It actually depends on the plugins you plan to use as some plugins change the root document of the wordpress. but generally I recommend something like this for the wordpress directory.

这实际上取决于您计划使用的插件，因为某些插件会更改 wordpress 的根文档。但通常我会为 wordpress 目录推荐这样的东西。

This will assign the "root" (or whatever the user you are using) as the user in every single file/folder, R means recursive, so it just doesn't stop at the "html" folder. if you didn't use R, then it only applicable to the "html" directory.

这会将“root”（或您使用的任何用户）分配为每个文件/文件夹中的用户，R 表示递归，因此它不会停在“html”文件夹中。如果你没有使用 R，那么它只适用于“html”目录。

sudo chown -R root:www-data /var/www/html  

This will set the owner/group of "wp-content" to "www-data" and thus allowing the web server to install the plugins through the admin panel.

这会将“wp-content”的所有者/组设置为“www-data”，从而允许 Web 服务器通过管理面板安装插件。

chown -R www-data:www-data /var/www/html/wp-content

This will set the permission of every single file in "html" folder (Including files in subdirectories) to 644, so outside people can't execute any file, modify any file, group can't execute any file, modify any file and only the user is allowed to modify/read files, but still even the user can't execute any file. This is important because it prevents any kind of execution in "html" folder, also since the owner of the html folder and all other folders except the wp-content folder are "root" (or your user), the www-data can't modify any file outside of the wp-content folder, so even if there is any vulnerability in the web server, and if someone accessed to the site unauthorizedly, they can't delete the main site except the plugins.

这会将“html”文件夹中的每个文件（包括子目录中的文件）中的每个文件的权限设置为644，因此外部人员不能执行任何文件，修改任何文件，组不能执行任何文件，修改任何文件并且只有允许用户修改/读取文件，但即使用户也不能执行任何文件。这很重要，因为它可以防止在“html”文件夹中执行任何类型的操作，而且由于 html 文件夹和除 wp-content 文件夹之外的所有其他文件夹的所有者都是“root”（或您的用户），因此 www-data 可以' t 修改 wp-content 文件夹外的任何文件，因此即使 Web 服务器存在任何漏洞，如果有人未经授权访问该站点，除了插件之外，他们无法删除主站点。

sudo find /var/www/html -type f -exec chmod 644 {} +

This will restrict the permission of accessing to "wp-config.php" to user/group with rw-r----- these permissions.

这会将访问“wp-config.php”的权限限制为具有 rw-r-----这些权限的用户/组。

chmod 640 /var/www/html/wp-config.php

And if a plugin or update complained it can't update, then access to the SSH and use this command, and grant the temporary permission to "www-data" (web server) to update/install through the admin panel, and then revert back to the "root" or your user once it's completed.

如果插件或更新抱怨无法更新，则访问 SSH 并使用此命令，并授予“www-data”（网络服务器）临时权限以通过管理面板更新/安装，然后恢复完成后返回“root”或您的用户。

chown -R www-data /var/www/html

And in Nginx (same procedure for the apache)to protect the wp-admin folder from unauthorized accessing, and probing. apache2-utils is required for encrypting the password even if you have nginx installed, omit c if you plan to add more users to the same file.

并在 Nginx（与 apache 相同的程序）中保护 wp-admin 文件夹免受未经授权的访问和探测。即使您安装了 nginx，也需要 apache2-utils 来加密密码，如果您打算将更多用户添加到同一文件中，请省略 c。

sudo apt-get install apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd userName

Now visit this location

现在访问这个位置

/etc/nginx/sites-available/

Use this codes to protect "wp-admin" folder with a password, now it will ask the password/username if you tried to access to the "wp-admin". notice, here you use the ".htpasswd" file which contains the encrypted password.

使用此代码用密码保护“wp-admin”文件夹，现在如果您尝试访问“wp-admin”，它会询问密码/用户名。请注意，这里您使用包含加密密码的“.htpasswd”文件。

location ^~ /wp-admin {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
    index  index.php index.html index.htm;
}

Now restart the nginx.

现在重启nginx。

sudo /etc/init.d/nginx restart

I think the below rules are recommended for a default wordpress site:

我认为对于默认的 wordpress 站点推荐以下规则：

• For folders inside wp-content, set 0755 permissions:

  chmod -R 0755 plugins

  chmod -R 0755 uploads

  chmod -R 0755 upgrade

• Let apache user be the owner for the above directories of wp-content:

  chown apache uploads

  chown apache upgrade

  chown apache plugins

• 对于 wp-content 内的文件夹，设置 0755 权限：

  chmod -R 0755 插件

  chmod -R 0755 上传

  chmod -R 0755 升级

• 让 apache 用户成为上述 wp-content 目录的所有者：

  chown apache 上传

  chown apache 升级

  chown apache 插件

Commands:

命令：

chown www-data:www-data -R *
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;

Where ftp-user is what user you are using to upload the files

其中 ftp-user 是您用来上传文件的用户

chown -R ftp-user:www-data wp-content
chmod -R 775 wp-content

chown -Rv www-data:www-data
chmod -Rv 0755 wp-includes
chmod -Rv 0755 wp-admin/js
chmod -Rv 0755 wp-content/themes
chmod -Rv 0755 wp-content/plugins
chmod -Rv 0755 wp-admin
chmod -Rv 0755 wp-content
chmod -v 0644 wp-config.php
chmod -v 0644 wp-admin/index.php
chmod -v 0644 .htaccess